The article touches on the security aspect, but doesn't highlight the real tension: if you have a proper build cycle, part of that is automated security scanning with multiple tools. Once an EOLed part of your stack is raising issues, they'll keep getting raised and dismissed with an exception to the rule of "fix all security issues". The backlog of unfixable issues grows, and in places with strict policies about addressing issues, this becomes untenable.

JS microdependency packaging makes this exponentially worse.